What A systematic, measurable technical assessment of how the organization's security policy is employed at a specific site Physical configuration, environment, software, information handling processes, and user practices are audited Used to determine regulatory compliance ex: HIPAA Audits are one of three main types of security diagnostics with penetration testing and vulnerability assessment Regularly occurring define and change security policy over time Why Cover your butt if something goes wrong (get hacked) May reveal weaknesses that could lead to theft of something May reveal theft has happened Usually a legal requirement
HIPAA Health Insurance Portability and Accountability Act 1996 Establishment of standards for electronic health care transactions Privacy rule regulates the use and disclosure of Protected Health Information (PHI) held by health care clearinghouses, employer sponsored health plans, health insurers, and medical service providers that engage in certain transactions PHI must be disclosed when required by law Individuals must be notified if their PHI is used for something PHI data that is incorrect must be corrected Electronic health care transactions standardized billing, claims, enrollment, status etc.
What is entailed Personal interviews how aware are people of policy? Vulnerability scans Operating system configurations vulnerable apps that are not used? Analysis of network shares who has access to what Historical Data previous incidents Questions: Are passwords difficult to crack? Are there access control lists on network devices to control sharing? Are there audit logs to record who accesses data? Are the audit logs reviewed? Does OS configuration meet industry best security practices? Have all unnecessary apps and services been eliminated? Are OS and commercial applications patched to current levels? How is backup media stored? Who has access to it? up-to-date? Is there a disaster recovery plan? Eever rehearsed it? Are there adequate crypto tools for data privacy? properly configured? Have custom-built applications been written with security in mind? How have these custom applications been tested for security flaws? How are configuration and code changes documented and reviewed?
Define the Scope of the Audit Asset Lists and Security Perimeter What needs to be protected during the audit? Security perimeter is conceptual and physical containing assests to be protected Assets include: the usual hardware logs of people activities Web pages important for org functioning Individual access cards Create a threat list Common threats Passwords Access to hardware by individuals Records of physical assets Data backups Email: spam filters, phishing attempts Backdoor access to client lists?
Predict Future Threats? Threat history examined Most threats repeat! Are pattens apparent? Check current security trends Numerous public and private orgs keep up-to-date records Check competing orgs They probably have the same threat worries Prioritize Assets & Vulnerabilities Vulnerability assessment Risk = probability * harm
Security Threat Response Plan Network Access Controls Access control lists to prevent unauthorized access Data privacy concerns compliance Use of crypto where needed Privilege separation - MILS Intrusion Prevention Segment the internal network, protect with firewalls Use tools that analyze traffic and issue alerts More than one tap is likely needed Create Backups Ransonware! Data corruption or loss by insiders or attackers Onsite and Offsite storage (especially for mission-critical data) Access to backups should be restricted Frequently done
Security Threat Response Plan Email Protection and Filtering Spam filters are effective Filters detect malicious attachments and remove them Individuals need to be educated in what phishing looks like Physical Intrusion Prevention Alarm systems Hard drive encryption Screaming smartphone Access cards for restricted environments